Full Report
PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3. The vulnerability affects a broad range of Windchill PDMLink and FlexPLM releases, specifically: Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0 FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0 The advisory stresses that all CPS versions before 11.0 M030 are also susceptible. PTC confirmed that, to date, there is no evidence of active exploitation affecting its customers, but the risk remains critical due to the nature of the Remote Code Execution threat. Nature of the Windchill and FlexPLM Vulnerability The reported vulnerability stems from improper handling of deserialized, untrusted data. Exploitation can allow an attacker to execute arbitrary code on affected systems, compromising security and potentially enabling full system takeover. PTC highlighted that the vulnerability is particularly dangerous for publicly accessible Windchill and FlexPLM instances, though they advise applying mitigations to all deployments regardless of Internet exposure. Immediate Mitigation Steps PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include: For Apache HTTP Server Create a new configuration file named 90-app-Windchill-Auth.conf under /conf/conf.d/. Add the following directive: Require all denied Ensure this file is the last in the configuration sequence and restart the Apache server. For Microsoft IIS Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website. Modify the web.config file to include the rewrite rule as the first tag in . Restart IIS using iisreset and confirm the rule is active in IIS Manager. PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures. Additional Protection Measures For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet. PTC has also committed to 24x7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customers, the Apache workaround has already been implemented across all hosted environments. Indicators of Compromise Security teams are advised to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability: Network and User-Agent Patterns User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c= File System Indicators GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1) Any dpr_.jsp file Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution. Log and Error Patterns Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception PTC strongly urges customers to report any identified IOCs immediately and initiate internal security response plans. This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments. By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect sensitive data.
Analysis Summary
# Vulnerability: Critical RCE in PTC Windchill and FlexPLM
## CVE Details
- **CVE ID:** CVE-2026-4681
- **CVSS Score:** 10.0 (Base v3.1) / 9.3 (Base v4.0) (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code / 'Code Injection')
## Affected Systems
- **Products:** PTC Windchill PDMLink, PTC FlexPLM
- **Versions:**
- **Windchill PDMLink:** 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0 through 13.1.3.0.
- **FlexPLM:** 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
- **Legacy:** All Critical Patch Set (CPS) versions prior to 11.0 M030 are also susceptible.
- **Configurations:** All deployments are at risk, with elevated danger for instances accessible via the public internet.
## Vulnerability Description
The flaw arises from the improper handling of deserialized untrusted data. An attacker can exploit this weakness to inject and execute arbitrary code on the host system. This can lead to a complete system takeover and unauthorized access to sensitive PLM (Product Lifecycle Management) data.
## Exploitation
- **Status:** Not currently observed in the wild (as of the advisory date); no public PoC was explicitly mentioned, though internal technical details suggest a high susceptibility to automated scanning.
- **Complexity:** Medium (requires knowledge of the deserialization endpoint).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Critical (Full access to product data and credentials).
- **Integrity:** Critical (Ability to modify or delete system files and data).
- **Availability:** Critical (Potential for full system shutdown or ransomware deployment).
## Remediation
### Patches
PTC is working on official security patches. Users should check the PTC support portal for released CPS (Critical Patch Sets) updates for their specific version.
### Workarounds
**For Apache HTTP Server:**
1. Create `90-app-Windchill-Auth.conf` in `/conf/conf.d/`.
2. Add directive: `Require all denied`.
3. Ensure it is the last file loaded and restart Apache.
**For Microsoft IIS:**
1. Install the **URL Rewrite module**.
2. Modify `web.config` to include the specific PTC-provided rewrite rule as the first tag in `<system.webServer>`.
3. Execute `iisreset`.
**General Mitigations:**
- Disconnect systems from the public internet if workarounds cannot be applied.
- Temporarily shut down Windchill/FlexPLM services.
## Detection
### Indicators of Compromise (IoCs)
- **File System:**
- `GW.class` or `payload.bin` (SHA256: `C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1`)
- Any files following the pattern `dpr_*.jsp`.
- Presence of unexpected class files: `Gen.class`, `HTTPRequest.class`, `HTTPResponse.class`, `IXBCommonStreamer.class`, etc.
- **Network/Logs:**
- **User-Agent:** `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36`
- **Request Patterns:** `run?p=`, `.jsp?p=`, `run?c=`, `.jsp?c=`
- **Log Messages:** References to `GW_READY_OK`, `ClassNotFoundException for GW Windchill`, or `HTTP Gateway Exception`.
## References
- PTC Advisory: [hxxps://thecyberexpress[.]com/flexplm-vulnerability-cve-2026-4681/]
- PTC Support Portal: [hxxps://www[.]ptc[.]com/en/support]